EDR: CBLR commands cause .tmp files to consume endpoint's disk
search cancel

EDR: CBLR commands cause .tmp files to consume endpoint's disk

book

Article ID: 289832

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • A .tmp file in C:\Windows\CarbonBlack continues to grow to several GB in size
  • A process executed from Live Response via execfg is running in the background

Environment

  • EDR Server: All Versions (Formerly CB Response)
  • EDR Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Cause

The command is requesting user input which is constantly printed to the .tmp file - CB-27472

Resolution

Stop the process
  1. From CBLR find the process' PID in the process list
ps
  1. Use the PID to kill the process
kill PID​​​

Additional Information

  • Sensor services may need to be restarted if the session for the endpoint is still active. This will be obvious if an error is logged when any new commands are run 
    • Error: NOT FOUND - Session 4 currently processing command 7
  • execfg should not be used for commands requiring user input
  • Commands should be tested on a subset of systems before running against large deployments
  • Flags such as /y to skip prompts can also be used to work around the issue
Powered by Wolken Software